SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Linux)  >   Netfilter Vendors:   Netfilter.org
Linux Netfilter With Network Address Translation (NAT) Can Be Crashed By Remote Users in Certain Cases
SecurityTracker Alert ID:  1007376
SecurityTracker URL:  http://securitytracker.com/id/1007376
CVE Reference:   CVE-2003-0467   (Links to External Site)
Date:  Aug 2 2003
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Linux 2.4.20 kernels and recent 2.5 kernels
Description:   A vulnerability was reported in the network address translation (NAT) implementation in Netfilter. A remote user may be able to cause the target system to crash.

It is reported that under certain circumstances, a remote user can send FTP or IRC packets to cause the system to crash.

If the affected kernel is configured with the CONFIG_IP_NF_NAT_FTP or CONFIG_IP_NF_NAT_IRC options enabled or if the ip_nat_ftp or ip_nat_irc modules are loadedloaded and FTP and IRC services are not filtered, the vulnerability can be triggered.

Impact:   A remote user can cause the system to crash.
Solution:   The vendor has issued a fix in Linux kernel 2.4.21. Also, a patch for 2.4.20 is available in the Source Message and at the Vendor URL.

As a workaround, the vendor indicates that the affected modules can be removed or iptables can be used to block FTP and IRC connections.

According to the report, all of 2.4.20-based kernels shipped by Red Hat include the fix alread.

Vendor URL:  www.netfilter.org/security/2003-08-01-nat-sack.html (Links to External Site)
Cause:   State error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 26 2003 (SnapGear Issues Fix for Their Routers) Re: Linux Netfilter With Network Address Translation (NAT) Can Be Crashed By Remote Users in Certain Cases
SnapGear has issued a firmware fix.
Sep 23 2003 (Ingate Firewall Fix is Available) Re: Linux Netfilter With Network Address Translation (NAT) Can Be Crashed By Remote Users in Certain Cases
Ingate Systems has issued a fix for the Ingate Firewall product line.



 Source Message Contents

Subject:  [SECURITY] Netfilter Security Advisory: NAT Remote DOS (SACK mangle)



                   Netfilter Core Team Security Advisory

                            CVE: CAN-2003-0467

Subject:

   Netfilter / NAT Remote DoS

Released:

   01 Aug 2003

Effects:

   Under limited circumstances, a remote user may be able to crash a
   machine doing Network Address Translation (NAT).

Estimated Severity:

   Medium.

Systems Affected:

   Linux 2.4.20 kernels and recent 2.5 kernels with
   CONFIG_IP_NF_NAT_FTP or CONFIG_IP_NF_NAT_IRC enabled, or the
   ip_nat_ftp or ip_nat_irc modules loaded, on which ftp and irc users
   are not packet filtered out.

Solution:

   BEST: Upgrade to Linux kernels 2.4.21 (stable), or apply the patch below.

   OR: As a workaround, the modules can be removed, or iptables can
   be used to block untrusted users from initiating ftp or irc
   connections through the NAT machine.

Details:

   This was verified by Rusty Russell on 2.4.20, and verified fixed
   with this patch.

Vendor Statement:

   Red Hat: All of the 2.4.20-based kernels shipped by Red Hat already
            contain the patch and are not vulnerable to this issue.
   Others:  unknown

Credits:
   The problem was found, and the fix implemented by the Netfilter Core Team.

Contact:
   coreteam@netfilter.org

diff -urpN --exclude TAGS -X /home/rusty/devel/kernel/kernel-patches/current-dontdiff 
--minimal linux-2.4.21-pre7/net/ipv4/netfilter/ip_nat_helper.c 
working-2.4.21-pre7-sackadjust/net/ipv4/netfilter/ip_nat_helper.c
--- linux-2.4.21-pre7/net/ipv4/netfilter/ip_nat_helper.c	2003-04-06 15:26:48.000000000 +1000
+++ working-2.4.21-pre7-sackadjust/net/ipv4/netfilter/ip_nat_helper.c	2003-04-14 
23:18:38.000000000 +1000
@@ -366,54 +365,49 @@ sack_adjust(struct tcphdr *tcph,
  }
  			

-/* TCP SACK sequence number adjustment, return 0 if sack found and adjusted */
-static inline int
+/* TCP SACK sequence number adjustment. */
+static inline void
  ip_nat_sack_adjust(struct sk_buff *skb,
-			struct ip_conntrack *ct,
-			enum ip_conntrack_info ctinfo)
+		   struct ip_conntrack *ct,
+		   enum ip_conntrack_info ctinfo)
  {
-	struct iphdr *iph;
  	struct tcphdr *tcph;
-	unsigned char *ptr;
-	int length, dir, sack_adjusted = 0;
+	unsigned char *ptr, *optend;
+	unsigned int dir;

-	iph = skb->nh.iph;
-	tcph = (void *)iph + iph->ihl*4;
-	length = (tcph->doff*4)-sizeof(struct tcphdr);
+	tcph = (void *)skb->nh.iph + skb->nh.iph->ihl*4;
+	optend = (unsigned char *)tcph + tcph->doff*4;
  	ptr = (unsigned char *)(tcph+1);

  	dir = CTINFO2DIR(ctinfo);

-	while (length > 0) {
-		int opcode = *ptr++;
+	while (ptr < optend) {
+		int opcode = ptr[0];
  		int opsize;

  		switch (opcode) {
  		case TCPOPT_EOL:
-			return !sack_adjusted;
+			return;
  		case TCPOPT_NOP:
-			length--;
+			ptr++;
  			continue;
  		default:
-			opsize = *ptr++;
-			if (opsize > length) /* no partial opts */
-				return !sack_adjusted;
+			opsize = ptr[1];
+			 /* no partial opts */
+			if (ptr + opsize > optend || opsize < 2)
+				return;
  			if (opcode == TCPOPT_SACK) {
  				/* found SACK */
  				if((opsize >= (TCPOLEN_SACK_BASE
  					       +TCPOLEN_SACK_PERBLOCK)) &&
  				   !((opsize - TCPOLEN_SACK_BASE)
  				     % TCPOLEN_SACK_PERBLOCK))
-					sack_adjust(tcph, ptr-2,
+					sack_adjust(tcph, ptr,
  						    &ct->nat.info.seq[!dir]);
-				
-				sack_adjusted = 1;
  			}
-			ptr += opsize-2;
-			length -= opsize;
+			ptr += opsize;
  		}
  	}
-	return !sack_adjusted;
  }

  /* TCP sequence number adjustment */

--
- Harald Welte              http://www.netfilter.org/
============================================================================
   "Fragmentation is like classful addressing -- an interesting early
    architectural error that shows how much experimentation was going
    on while IP was being designed."                    -- Paul Vixie



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC